Congress of tfje United States 

Maaljmgton, 2)C 20510 

June 27, 2019 


The Honorable Ajit Pai 
Chairman 

U.S. Federal Communications Commission 
445 12 th Street, SW 
Washington, D.C. 20554 

Dear Chairman Pai: 

We write to request information regarding the Federal Communications Commission’s (FCC), 
Communications Security, Reliability and Interoperability Council (“CSRIC” or “Council”), and 
the extent to which that body may be inappropriately dominated by industry insiders. 

CSRIC is an advisory panel, tasked with “providing] recommendations to the FCC regarding 
ways the FCC can strive for security, reliability, and interoperability of communications 
systems.” 1 According to its charter, the Council membership must be drawn from a “balance” of 
“Federal, state, tribal, territorial and/or government agencies, consumer or community 
organizations or other non-profit entities, and the private sector,” in order to “balance the 
expertise and viewpoints that are necessary to effectively address the issues to be considered.” 2 
However, a recent investigation by the nonpartisan independent watchdog group, Project On 
Government Oversight (POGO), found that “the panel... is dominated by industry influences 
and falling short of legal requirements.” 3 In fact, “more than half of its members represented 
private sector interests, either as a direct employee of a for-profit company or via affiliation with 
an industry trade group.” 4 

First established in 1992 under its previous name as the Network Reliability Council, the Council 
exists as an advisory panel, and cannot issue rules or regulations. 5 However, the FCC has often 
relied on its recommendations, analysis, and research to inform its policy decisions, and, 
according to POGO, its input has “held heavy sway within the agency despite the obvious 
conflicts of interest inherent in their production.” 6 


1 The U.S. Federal Communications Commission, “Charter of the FCC’s Communications Security, Reliability and 
Interoperability Council,” p. 2, https:/ /www .lcc.uo v/fi lc/1 5773 /download. 

2 Id. 

3 Project On Government Oversight, “Industry Influence on an FCC Advisory Panel,” Andrea Peterson, June 10, 
2019, https://www.pogo.org/analvsis/2019/06/industrv-influence-on-an-fcc-advisory-panel/ . 

4 Id. 

5 The U.S. Federal Communications Commission, “Network Reliability Council,” htt ps : Avww .fcc.go v/about - 

fcc/advisorv-committees/communications-securitv-reliabilitv-and-interoperability-9 

6 Project On Government Oversight, “Industry Influence on an FCC Advisory Panel,” Andrea Peterson, June 10, 
2019, https://www.pogo.org/analvsis/2019/06/industrv-infiuence-on-an-fcc-advisory-panel/ . 









According to POGO, of the Council’s 22 current members, 13 are from the private sector, two 
are affiliated with an industry associated trade group, six are from government agencies, and 
only one member is from a civil society group. 

The industry-dominated personnel on the panel have recommended policies that are directly in 
line with the wishes of the companies from which their members are drawn. And to make 
matters worse, POGO interviews with former FCC staff also revealed that a lack of sufficient 
expertise among FCC staff regarding the growing world of data networks has led the agency to 
rely more heavily on input from the Council, giving it an outsized role in policy-making. 7 

For example, when the Council convened a working group to study and recommend best 
practices for cybersecurity under former Chairman Wheeler, the resulting 2015 report 
recommended making voluntary - rather than mandatory - commitments to follow the 
Commerce Department’s National Institute of Standards and Technology cybersecurity 
frameworks. 8 The panel made a similar decision a year later, again recommending a set of non¬ 
binding guidances for carriers as opposed to mandatory requirements to address significant 
security concerns relating to Signaling System No. 7 (SS7), a critical piece of 
telecommunications infrastructure that enables carrier interoperability and is famously 
vulnerable to hacking. 9 More recently, a March 2019 report by a CSRIC working group focusing 
on mitigating security risks to current IP-based protocols again only came up with voluntary best 
practices for the industry. 10 For this reason, the POGO investigation concluded that “instead of 
helping solve problems, this industry-dominated group has at times been a barrier to 
strengthening the security of America’s communications.” 11 

Having the FCC’s policy-making process rely on input from individuals employed by, or 
affiliated with, the corporations that it is tasked with overseeing is the very definition of 
regulatory capture. The FCC should be working on behalf of American consumers, not giant 
telecommunications companies. 


7 Ars Technica, “Why the US still won’t require SS7 fixes that could secure your phone,” Andrea Peterson, April 11, 
2019, htt ps://arstechnica.com/features/2019/04/fullv-compromised-comms-how-industrv-influence-at-the-fcc-risks- 

our-digital-securitv/ . 

8 The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability 
Council, Working Group 4, “Cybersecurity Risk Management and Best Practices: Final Report,” March 2015, p. 30, 

https://transition.fcc.gov/pshs/advisorv/csric4/CSRlC IV WG4 Final Report 031815.pdf . 

9 In June 2016, the FCC established a working group under CSRIC to come up with security recommendations for 
improving SS7. 9 The working group was overwhelmingly dominated by industry-insiders: of its 20 members, 5 were 
from government agencies and 15 were affiliated with the private sector. 

The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability Council, 
Working Group 10, “Legacy Systems Risk Reductions: Final Report,” March 2017, 

https://www.fcc.gov/files/csric5-wg 10-finalreport031517pdf : Ars Technica, “Why the US still won’t require SS7 
fixes that could secure your phone,” Andrea Peterson, April 11, 2019, 

https://arstechnica.com/features/20l9/04/fullv-compromised-comms-how-industrv-influence-at-the-fcc-risks-our- 

digital-sec urity . 

10 The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability 
Council VI, Working Group 3, “Final Report on Best Practices and Recommendations to Mitigate Security Risks to 
Current IP-based Protocols,” March 2019, file:///C:/Users/zd44543/Downloads/csric6wg3 finalreport 030819.pdf . 

11 Project On Government Oversight, “Industry Influence on an FCC Advisory Panel,” Andrea Peterson, June 10, 
2019, https://www.pogo.org/analvsis/2019/06/industrv-influence-on-an-fcc-advisorv-panel/ . 











Beyond the obvious conflicts of interest and risks to consumers that this arrangement creates, we 
am also concerned that its current makeup may not be consistent with the Federal Advisory 
Committee Act, which requires that the membership of federal agency advisory committees must 
“be fairly balanced in terms of the points of view represented and the functions to be 
performed.” 12 

In order to effectively serve the American public, it is imperative that CSRIC’s membership be 
comprised of individuals with a diverse range of backgrounds and viewpoints, and include equal 
representation from various government agencies, academic experts, and consumer and 
community organizations, in accordance with its charter. 13 

To help me better understand the extent to which CSRIC may be corrupted by undue corporate 
influence, as well as its role in FCC policy-making, we respectfully request that you answer the 
following questions no later than July 12, 2019. 


1. According to its own charter, CSRIC should be made up of members from “[fjederal, 
state, tribal, territorial and/or government agencies, consumer or community 
organizations or other non-profit entities, and the private sector,” 14 in order “to balance 
the expertise and viewpoints that are necessary to effectively address the issues to be 
considered.” But of the 22 current members serving on CSRIC, 15 are directly working 
for the private sector or are affiliated with industry associated trade groups, and only one 
member is from a civil society group. Please explain how the current composition of 
CSRIC meets this requirement in its charter. 

2. The Federal Advisory Committee Act, which applies to CSRIC requires that the 
membership of federal agency advisory committees must “be fairly balanced in terms of 
the points of view represented and the functions to be performed.” 15 Please explain how 
the current membership of CSRIC is following this statutory requirement. 

3. Please explain in detail your process for selecting members to serve on CSRIC, and any 
considerations that were made with regard to balancing members that are affiliated with 
the industry and members from consumer and community organizations. 

4. Please provide information on the number of individuals from tribal governments or 
tribal organizations that have been appointed to serve on CSRIC, or its predecessor, the 
Network Reliability Council, since 1992. For each individual, please list their name, the 
tribal government or tribal organization they were affiliated with, and the dates that they 
served on the Council. 


12 5a U.S. Code § 5(b)(2); The U.S. Federal Communications Commission, “Charter of the FCC’s Communications 
Security, Reliability and Interoperability Council,” p. 2, htt ps://www.fcc.gov/file/15773/download . 

13 The U.S. Federal Communications Commission, “Charter of the FCC’s Communications Security, Reliability and 
Interoperability Council,” p. 2, https: w ww .fcc.gov file.'15773 'download. 


14 Id. 


15 5a U.S. Code § 5(b)(2) 





5. Please explain CSRIC’s role in the FCC policy-making process and the extent to which 
the agency relies on the input from CSRIC. In explaining this process, please include the 
following: 

a. A list of all FCC actions under the current administration on which the CSRIC 
provided advice, guidance, or recommendations. 

b. Any documents the CSRIC produced as a part of any advice, guidance, or 
recommendations, including for the three working groups that studied the 911 
system’s reliability and resiliency during the NG911 transition; the 
comprehensive re-imagining of emergency alerting; and recommendations and 
best practices to reduce security risks to IP-based protocols. 

c. Information on the role that such advice, guidance, or recommendations played in 
FCC actions. 

6. Please include copies of any communication related to CSRIC membership between you 
or any FCC employee and any individuals affiliated with or representing an FCC- 
regulated entity since you assumed the position of Chairman. 

Thank you for your attention to this matter. 


Sincerely, 






